Author
Topic: DropBear Vulnerability (Read 3405 times)

After running a Nessus scan on my home network, the scanner indicates that the DropBear SSH versions running on my Vera units are vulnerable. The vulnerability is outlined under CVE-2012-0920 (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0920). These vulnerabilities are resolved in newer version of DropBear SSH (2012.55 or later).

Vera 3 Firmware: 1.7.760DropBear SSH version: 0.53.1

Vera 2 Firmware: 1.5.622DropBear SSH version: 0.52

Not sure if there is a roadmap to incorporate new versions of DropBear in future firmware, but maybe there should be. I would submit a bug report, but it doesn't seem that bugs.micasaverde.com is getting much attention.

Should not be much of an issue since Vera is usually protected by the firewall in your router.

If you are letting ports open in your router to access Vera than there are more problems than just DropBear to worry about.

I don't disagree that under most Vera scenarios, the vulnerability is lower than is outlined in the CVE. I do think this is something that should be addressed though. I submitted a ticket. I will follow up on what their response is.

They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.But as mentioned by RTS if you have an open FireWall, well then you more issues to worry about

They (Vera) should just update the OS apps + libs with every Firmware, and in case of UI5 at least provide an instruction for these kinds of updates to do it yourself.

Could not agree more... On my Veralite the OpenWRT under the hood of firmware 1.7.760 is still version 10.03.1 (backfire) that is more than three years old and 3 major revisions behind !!!I think (though I do not own one so it would be good for somebody who does to confirm) that Vera has upgraded a few times OpenWRT for the Vera Edge... Why not VeraLite (and I suspect Vera 3 as well) ?

This vulnerability still exists on Vera Edge as of the latest firmware. I understand that firewall rules can restrict access to this vulnerability, but that's not a great excuse for not fixing it. It just creates another attack vector that can be used in conjunction with another vulnerability to gain access.